Security wrapper methods and systems

ABSTRACT

In one example, a web content security system embedded in a computer-usable storage medium that identifies potential threats when executed by one or more processors is provided. The web content security system includes a communications monitor module that monitors at least one of data communications between web objects on a web page and data communications between web objects on a web page and a server, and that identifies a potential threat based on the data communications. A logger module generates report data based on the identified potential threat.

CROSS-REFERENCES TO RELATED APPLICATIONS

This patent application claims priority to US Provisional PatentApplication Ser. No. 61/168023, filed Apr. 9, 2009 which is incorporatedherein by reference in its entirety.

FIELD

The present disclosure relates to security methods, systems, andcomputer program products for internet content.

BACKGROUND

Web-based advertisements have become increasingly popular.Advertisements can be provided in varying forms including video clips,animations, and/or static images. The advertisements can be displayed bya web page by dynamically integrating a specific advertisement into astatic display object or a video object. The dynamic integration allowsfor various advertisements to be displayed by the web page withoutaltering the web page each time a new advertisement is displayed.

In some instances, security of the advertisement objects is compromisedwhen unknown sources script to and redirect the web browser so that anadvertisement from a third party supplier can be loaded into anddisplayed by the objects. Detection and prevention of such intrusions isdesirable.

SUMMARY

Accordingly, in one example, a web content security system embedded in acomputer-usable storage medium that identifies potential threats whenexecuted by one or more processors is provided. The web content securitysystem includes a communications monitor module that monitors at leastone of data communications between web objects on a web page and datacommunications between web objects on a web page and a server, and thatidentifies a potential threat based on the data communications. A loggermodule generates report data based on the identified potential threat.

Further areas of applicability will become apparent from the descriptionprovided herein. It should be understood that the description andspecific examples are intended for purposes of illustration only and arenot intended to limit the scope of the present disclosure.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The drawings described herein are for illustration purposes only and arenot intended to limit the scope of the present disclosure in any way. Itshould be understood that throughout the drawings, correspondingreference numerals indicate like or corresponding parts and features.

FIG. 1 is a block diagram illustrating a computing system that includesa content security management system in accordance with an exemplaryembodiment of the present disclosure.

FIG. 2 is a block diagram illustrating a web page including a contentsecurity manager in accordance with an exemplary embodiment.

FIG. 3 is a dataflow diagram illustrating the content security manger ofFIG. 2 in accordance with an exemplary embodiment.

FIGS. 4A-4C are illustrations of exemplary implementations of thecontent security manager of FIG. 2 for a video player of the web page inaccordance with an exemplary embodiment.

FIGS. 5A-5B are illustrations of exemplary implementations of thecontent security manger of FIG. 2 for web objects of the web page inaccordance with an exemplary embodiment.

FIG. 6 is a flowchart illustrating a security method that can beimplemented by the content security manager of FIG. 3 in accordance withan exemplary embodiment.

DETAILED DESCRIPTION

Turning now to the drawings in greater detail, it will be seen that inFIG. 1 an exemplary computing system 10 includes a content securitymanagement system of the present disclosure. The exemplary computingsystem 10 is shown to include a computer 12 that communicates with oneor more servers 14, 16 via a network 18. The computer 12 includes aprocessor 20 and one or more data storage devices 22. The processor 20can be any custom made or commercially available processor, a centralprocessing unit (CPU), an auxiliary processor among several processorsassociated with the computer, a semiconductor based microprocessor (inthe form of a microchip or chip set), a macroprocessor, or generally anydevice for executing software instructions. The one or more data storagedevices 22 can be any internal or external data storage devicesincluding, but not limited to, random access memory (RAM), read onlymemory (ROM), a cache, a stack, or the like which may temporarily orpermanently store electronic data of the computer 12.

As can be appreciated, the computer 12 can be any computing device thatincludes a processor 20 and a data storage device 22, including, but notlimited to, a desktop computer, a laptop, a workstation, a cell phone,and a personal handheld device. The computer 12 is shown to beassociated with a display 24 and one or more input devices 26, 28 thatcan be used by a user to communicate with the computer 12. As can beappreciated, such input devices 26, 28 can include, but are not limitedto, a mouse, a keyboard, and a touchpad.

The data storage device 22 stores software instructions of a browserapplication 41 and the processor 20 executes the instructions of thebrowser application 41. The browser application 41 generates a webbrowser 42 that is presented to a user by the display 24. The userinteracts with the web browser 42 via the input devices 26, 28 tonavigate to a particular web page 44. The browser application 41retrieves the web page 44 from the servers 14, 16 via the network 18.

The servers 14, 16 similarly include one or more processors 30, 32respectively and one or more data storage devices 34, 36 respectively.In various embodiments, the server 14 is a main server that includes aweb page manager 38 and the server 16 is a web content server thatincludes a web content manager 40. The web content manager 40 managesweb page content that is stored in the server 16. Such web page contentcan include, but is not limited to, displayer content such as videoplayer data and ad display data used to generate a video player or an addisplayer of the web page 44, and display data such as video data and addata that is displayed by the video player or the ad displayer. As canbe appreciated, the web page content can include any data that isdynamically displayed by the web page 44.

The web page manager 38 manages web page requests that are initiated bya user interacting with the web browser 42. Based on the requests, theweb page manager 38 constructs and delivers the web page 44. As shown inFIG. 2, an exemplary web page 44 can include one or more web objects46-58 and one or more content security managers 60. The web objects46-58 can include but are not limited to, video player objects 58,advertisement objects 52-56, poll objects 48, game objects 50, andinformation objects 46 (e.g., weather objects, time objects, calendarobjects, etc.). The web objects 46-58 communicate data with each otheras well as with the servers 14, 16 (FIG. 1). The content securitymanager 60 monitors the communications between the web objects 46-58 aswell as communications between the web objects 46-58 and the servers 14,16 (FIG. 1), to identify and report potential threats. In variousembodiments, any third party features and/or applications that are notpart or local to the web application and provided by a vendor directlyor indirectly are tracked, stored, monitored, and/or blocked, if foundas a threat and communicated to other computers or servers participatingin the security defense mechanism.

With reference back to FIG. 1, to construct the web page 44, the webpage manager 38 communicates with the web content manager 40 to retrieveweb page content associated with the particular page, constructs the webpage 44 based on the displayer content associated with the one or moreweb objects 46-58 (FIG. 2), embeds the content security manager 60 (FIG.2) in the web page 44, and delivers the web page 44 to the web browser42. The web displayer content then communicates with the web contentmanager 40 to retrieve display data from the server 16. In one example,when the web displayer content is associated with a video player, thedisplay data is video data that is streamed from the server 16. Inanother example, when the web displayer content is associated with an addisplayer, the display data is ad data that is downloaded from theserver 16.

While the web page 44 is being displayed, the content security manager60 (FIG. 2) monitors communications between the web objects 46-58,between the objects and the servers 14, 16, and/or between the user andthe web browser 42. The content security manager 60 (FIG. 2) identifiescommunications that may generated from a potential threat source,communications that may interfere with the communications between theweb objects 46-58, and communications that may interfere with thecommunications between the web objects 46-58 and the servers 14, 16. Thecontent security manager 60 (FIG. 2) detects, intercepts, and/or reportsthese communications to safeguard the web page 44.

Turning now to FIG. 3, a dataflow diagram illustrates the contentsecurity manager 60 of FIG. 2 in more detail in accordance with anexemplary embodiment. The content security manager 60 includes one ormore modules and datastores. As can be appreciated, the modules can beimplemented as software, hardware, firmware and/or other suitablecomponents that provide the described functionality. As can beappreciated, the modules shown in FIG. 2 can be combined and/or furtherpartitioned to similarly monitor the various communications of the webpage 44 (FIG. 1). In this example, the security content manager 60includes a communications monitor module 62, a logger module 64, aninterceptor module 66, and a threat datastore 68. The threat datastore68 stores information about known threat sources. Such information caninclude, for example, an IP address, a communication type, acommunication pattern, etc.

The communications monitor module 62 receives as input data associatedwith various types of communications between the web objects themselvesand between the web objects and the server, including but not limitedto, inter-object communication data, and object-server typecommunication data. For example, the communication data 70 can include arequest to the server 16 (FIG. 1) to populate the video player or the addisplayer with video data or add data.

The communications monitor module 62 monitors the communication data 70and compares information in the communication data to data stored in thethreat datastore 68. If the information matches or is substantiallysimilar to identified threat sources in the threat datastore 68, thecommunications monitor module 62 generates communication threat data 72identifying the communicating threat. The communication monitor module62 generates communication event data 74 associated with thecommunication threat data 72 for logging purposes. The communicationevent data can include information indicating the conditions surroundingthe communication request, for example, to what object the communicationwas made and/or from what object or entity the communication was made,etc.

The logger module 64 receives as input the communication event data 74.The logger module 64 generates report data 76 that reports thecommunications event data or a subset thereof to resources. The reportscan be evaluated to determine threat patterns and/or threat sources thatare associated with the communication threat data. In variousembodiments, the threat datastore 68 can be updated based on the threatpatterns and/or threat sources. In the event of a potential threat,respective resources are notified via threat notification data 78 of thevulnerability and given one or more options. In various embodiments, theoptions include, but are not limited to: reject or cancel the operation;monitor closely the patterns (e.g., when an unknown or new vulnerabilityis identified); automatically reject/block these requests in the future;trace the internet protocol (IP) address of the vulnerability and block;log the information and share with others; and collaborate with othersand take action based thereon.

Selection data 80 is received by the logger module 64 based on a user'sselection of one of the options. If in the event the selection data 80indicates to reject or cancel the operation, to automaticallyreject/block these requests in the future, or to trace the IP address ofthe vulnerability and block, the logger module 64 generates a blockrequest 82 accordingly.

The interceptor module 66 receives as input the block request 82, andthe communication threat data 72. Based on the block request 82, theinterceptor module 66 intercepts the communication and blocks or cancelsthe associated request via interception data 84. For example, based onthe type of block request, the interceptor module 66 can reject theparticular operation associated with the request, can automaticallyblock requests associated with this type of communication in the future,and/or block all communications from the particular IP address. Invarious embodiments, the interceptor module 66 generates a notificationvia block notification data 86 to the communicating entity when thecommunication has been intercepted.

Turning now to FIGS. 4A-4C, various exemplary implementations of thecontent security manager 60 (FIG. 3) for video player objects 58 areshown. As shown in FIG. 4A, the content security manager 60 a can beimplemented as a container object that encapsulates the video playerobjects 58 and that includes event listeners. The event listeners, forexample, monitor calls that the video data send to the web browser 42(FIG. 1), or other web objects 46-56 (FIG. 2). As shown in FIG. 4B, thecontent security manger 60 b can be implemented as an applet thatmonitors script events associated with the video player 52. As shown inFIG. 4C, the content security manger 60 c can be implemented ascontainer, for example, an iFrame container or any other type ofcontainer, that houses a nested web page 88. The content securitymanager 60 c captures script communications.

Turning now to FIGS. 5A-5B, various exemplary implementations of thecontent security manager 60 for web objects 46-56 are shown. As shown inFIG. 5A, the content security manager 60 d can be implemented as acontainer object that monitors or encapsulates the web objects andprovides awareness and capturing capabilities regarding JavaScript andother browser communications. In various embodiments, a container object60 e-60 h can be provided around each web object 46-56 on the web page44. Each container object 60 e-60 h includes JavaScripts that listen forcommands. As shown in FIG. 5B, the content security manager 60 i can beimplemented as an applet that monitors communications between thevarious web objects 46-56.

Turning now to FIG. 6, a flow chart illustrates a security method thatcan be performed by the content security manager 60 of FIG. 3 inaccordance with an exemplary embodiment. As can be appreciated in lightof the disclosure, the order of operation within the method is notlimited to the sequential execution as illustrated in FIG. 6, but may beperformed in one or more varying orders as applicable and in accordancewith the present disclosure.

In various embodiments, the method is scheduled to run while the webpage 44 (FIG. 1) is displayed by the web browser 42 (FIG. 1). In variousother embodiments, the method is scheduled to run based on predeterminedevents and/or at scheduled intervals of time.

In one example, the method may begin at 100. Communications aremonitored at 110. The communication information is compared with threatsource information at 120. If the communication is a potential threat at120, a notification is generated to a resource based on the threat typeat 130. If, however, the communication is not a threat at 120, themethod continues with monitoring the communications at 110.

Upon receiving a selection of an option that is generated by theresource at 140, the selection is evaluated at 150-170. If the selectionindicates to block or cancel the communication at 150, based on theblock or cancel type the specific communication is intercepted andcanceled, and/or any communication from that source is intercepted andcanceled 180 and a block notification is generated at 190. Thereafter,the threat datastore 68 (FIG. 3) is updated at 200 and the method mayend at 205.

If, however, the selection indicates to log the information for laterevaluation at 160, the communication information surrounding theparticular threat communication is stored in a log file at 210 and themethod may end at 205.

If, however, the selection indicates to collaborate with other resourcesat 170, a notification is generated to other resources at 220 andactions are taken based on a collective response at 230. The threatdatastore 68 (FIG. 3) can optionally be updated based on the collectiveresponse at 200 and the method may end at 205.

As one example, one or more aspects of the present disclosure can beincluded in an article of manufacture (e.g., one or more computerprogram products) having, for instance, computer usable media. The mediahas embodied therein, for instance, computer readable program code meansfor providing and facilitating the capabilities of the presentdisclosure. The article of manufacture can be included as a part of acomputer system or provided separately.

Additionally, at least one program storage device readable by a machine,tangibly embodying at least one program of instructions executable bythe machine to perform the capabilities of the present disclosure can beprovided.

Computer program code for carrying out operations of the presentinvention may be written in any combination of one or more programminglanguages, including an object oriented programming language such asXML, Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Those skilled in the art can now appreciate from the foregoingdescription that the broad teachings of the present invention can beimplemented in a variety of forms. Therefore, while this invention hasbeen described in connection with particular examples thereof, the truescope of the invention should not be so limited since othermodifications will become apparent to the skilled practitioner upon astudy of the drawings, the specification and the following claims.

1. A web content security system embedded in a computer-usable storagemedium that identifies potential threats when executed by one or moreprocessors, the web content security system comprising: a communicationsmonitor module that monitors at least one of data communications betweenweb objects on a web page and data communications between web objects ona web page and a server, and that identifies a potential threat based onthe data communications; and a logger module that generates report databased on the identified potential threat.
 2. The system of claim 1wherein the communications monitor module identifies the potentialthreat based on threat data stored in a threat datastore.
 3. The systemof claim 2 further comprising the threat datastore.
 4. The system ofclaim 1 further comprising an interceptor module that intercepts datacommunications and at least one of cancels and blocks the datacommunications based on the identified potential threats.
 5. The systemof claim 4 wherein at least one of the interceptor module and the loggermodule perform, based on the identified potential threat, at least oneof cancel an operation associated with the data communication, monitorcommunication patterns associated with the data communication,automatically block requests associated with the data communications insubsequent data communications, trace an internet protocol (IP) addressassociated with the data communication and block subsequent datacommunications from that IP address, log information associated with thedata communication, and collaborate with others and take action based ona collective response.
 6. The system of claim 1 wherein the loggermodule further generates a notification indicating the potential threatand one or more threat response options.
 7. The system of claim 6wherein the wherein the logger module updates a threat datastore basedon a selection of the one or more threat response options.
 8. The systemof claim 6 wherein the one or more threat response options includes atlest one of a cancel operation option, a monitor communication patternsoption, an automatically block requests in the future option, a trace anassociated internet protocol (IP) address and block option, a logassociated information option, and a collaborate with others option. 9.A method of identifying a potential threat to a web page, comprising:performing on a processor, monitoring at least one of datacommunications between web objects on a web page and data communicationsbetween web objects on a web page and a server; identifying thepotential threat based on the data communications; and generating reportdata based on the identified potential threat.
 10. The method of claim 9wherein the report data includes a notification indicating the potentialthreat and one or more threat response options.
 11. The method of claim9 wherein the identifying the potential threat is further based on acomparison of information associated with the data communications withthreat information stored in a threat datastore.
 12. The method of claim9 further comprising canceling an operation associated with the datacommunication based on the potential threat.
 13. The method of claim 9further comprising monitoring communication patterns associated with thedata communication based on the potential threat.
 14. The method ofclaim 9 further comprising automatically blocking requests associatedwith the data communication in subsequent data communications based onthe potential threat.
 15. The method of claim 9 further comprisingtracing an internet protocol (IP) address associated with the datacommunication and block subsequent data communications from that IPaddress based on the potential threat.
 16. The method of claim 9 furthercomprising logging information associated with the data communicationbased on the potential threat.
 17. The method of claim 9 furthercomprising collaborating with other resources and taking action based ona collective response based on the potential threat.
 18. A web pageembedded in a computer-usable storage medium that identifies potentialthreats when executed by one or more processors, the web pagecomprising: a web object embedded in the web page; and a contentsecurity manager embedded in the web page that that monitors datacommunications between the web object and a server, and that identifiesa potential threat based on the data communications.
 19. The web page ofclaim 18 further comprising a plurality of web objects embedded on theweb page, and wherein the content security manager monitors datacommunications between the plurality of web objects and identifies thepotential threat based on the data communications between the pluralityof web objects.
 20. The web page of claim 18 wherein the contentsecurity manager perform, based on the identified potential threat, atleast one of, cancel an operation associated with the datacommunication, monitor communication patterns associated with the datacommunication, automatically block requests associated with the datacommunications in subsequent data communications, trace an internetprotocol (IP) address associated with the data communication and blocksubsequent data communications from that IP address, log informationassociated with the data communication, and collaborate with others andtake action based on a collective response.
 21. The web page of claim 18wherein the content security manager maintains a threat datastore thatstores information associated with the potential threats.
 22. The webpage of claim 18 wherein the content security manager module identifiesthe potential threat based on a comparison of information associatedwith the data communication with data in a threat datastore.
 23. The webpage of claim 18 wherein the web object is a video player object. 24.The web page of claim 18 wherein the web object is at least one of anadvertisement object, a poll object, a game object, and an informationobject.
 25. The web page of claim 18 wherein the content securitymanager is implemented as a container object of the web page.
 26. Theweb page of claim 18 wherein the content security manager is implementedas an applet of the web page.
 27. The web page of claim 18 wherein thecontent security manager is implemented as a frame object of the webpage.